Securing the Information Infrastructure pdf

(1)

(2)

Securing the

Information

Infrastructure

Joseph M. Kzza

Unversty of Tennessee at Chattanooga, USA

Florence M. Kzza Freelance Wrter, USA

(3)

Acquisition Editor: Kristin Klinger Senior Managing Editor: Jennifer Neidig Managing Editor: Sara Reed Development Editor: Kristin Roth Copy Editor: Heidi Hormel Typesetter: Michael Brehm Cover Design: Lisa Tosheff Printed at: Yurchak Printing Inc.

Published in the United States of America by

CyberTech Publishing (an imprint of IGI Global) 701 E. Chocolate Avenue

Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected]

Web site: http://www.cybertech-pub.com

and in the United Kingdom by

CyberTech Publishing (an imprint of IGI Global) 3 Henrietta Street

Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609

Web site: http://www.eurospanonline.com

Copyright © 2008 by IGI Global. All rights reserved. No part of this book may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher.

Product or company names used in this book are for identification purposes only. Inclusion of the names of

the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark.

Library of Congress Cataloging-in-Publication Data

Kizza, Joseph Migga.

Securing the information infrastructure / Joseph Kizza and Florence Migga Kizza, authors. p. cm.

Summary: “This book examines how internet technology has become an integral part of our daily lives and as it does, the security of these systems is essential. With the ease of accessibility, the dependence to a computer has sky-rocketed, which makes security crucial”--Provided by publisher.

Includes bibliographical references and index.

ISBN 978-1-59904-379-1 (hardcover) -- ISBN 978-1-59904-381-4 (ebook)

1. Cyberterrorism. 2. Internet--Security measures. 3. Computer networks--Security measures. 4. Information superhighway--Security measures. I. Kizza, Florence Migga. II. Title.

HV6773.K59 2008 005.8--dc22

2007007405

British Cataloguing in Publication Data

A Cataloguing in Publication record for this book is available from the British Library.

(4)

(5)

Securing the

Information

Infrastructure

Preface

The frequent headlines involvingincidents of stolen or hacked user records from company and government institutions, like the recent Veteran Affairs episode, have brought prob-ably unwanted attention the constant problem of securing vital, essential, and confidential personal, business, and national records from the hands of hackers and thieves. However, to many in the security community, such news has refocused the attention of the nation, if not the whole world, and re-ignited the debate about how far we need to go and what we need to do in order to secure the information infrastructure upon which all vital information happens to reside and is transported.

(11)

are serious consequences to total dependence on the information infrastructure and its as-sociated technologies. As we have all witnessed in the last several years, Internet technolo-gies have been like a large cruise ship in the middle of the ocean with all its enmities but without a captain. The 21st_{century has, thus far, the most machine-dependent generation.}

This dependence, though for convenience, is turning out to be one of the main sources of our security problems and a potential privacy concern. It is leading to the loss of our privacy, security, and autonomy.

These two developments, taken together, have created an even more tempting environment for online digital crimes than ever before. The annual Computer Crime Survey by the Com-puter Security Institute/Federal Bureau of Investigations (CSI/FBI) typically is a barometer of computer crime within the United States and every year presents alarming statistics about rising digital crime rates over our public networks. The survey results always paint a picture of cyber crimes bleeding the nation. The CSI/FBI Computer Crime and Security surveys are always targeted to computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities. Recent data from these surveys show some disturbing developments, including:

• There has been a shift from both virus attacks and denial of service, which previously outpaced all others, to theft of proprietary information.

• The percentage of organizations reporting computer intrusions to law enforcement in recent years has declined. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.

• Although the vast majority of the organizations view security awareness training as important, respondents from all sectors do not believe that their organizations invest enough in this area.

• Security budgets in organizations are still very low, indicating a low priority given to security.

Data like these point to perhaps the core reason why there is mounting uneasiness and fear of the developing information infrastructure. The main question arising out of this new fear is whether we should trust our new information infrastructure medium. We are at a crossroads, unable to proceed without deciding whether we should trust the path we are taking or not. If we are to trust it, how much trust must we give? Ironically, if we decide to trust, we are trusting a system we know very little about and we understand less.

(12)

The book is, therefore, a survey of these issues in four parts. In the four chapters of Section I: Security through Moral and Ethical Education, we focus on moral and ethics education and also discuss related issues of security, privacy, and anonymity as they affect the creation of a strong ethical framework for decision making:

• In Chapter.I:.Building.Trust.in.the.Information.Infrastructure, we outline the

problems we as members of cyberspace are facing, problems that are challenging our individual self and society, in general. We also outline a summary of what we think is the best approach to bringing trust to an infrastructure with a runaway security problem.

• In.Chapter.II:.Need.for.Morality.and.Ethics, we discussed the rising rate of com-puter-related crime and, in particular, information-related crimes. We point out that information infrastructure is made up of two components; the man-made component, consisting of hardware and software, and the humanware component, consisting of users. A good solution to the information infrastructure problem must address problems in both of these components.

• In.Chapter.III:.Building.an.Ethical.Framework.for.Decision.Making, we build on

the discussion in Chapter II about building a good ethical framework and its central role in securing the information infrastructure. We show that a good ethical framework is essential for good decision making.

• In. Chapter. IV:. Security,.Anonymity,. and. Privacy, we discuss the centrality of security and privacy in the information infrastructure and also the role anonymity plays. The threat to privacy and security is at the core of the problem of securing the information infrastructure. We cannot talk about a secure information infrastructure, if we cannot guarantee the security and privacy of individuals and the information on the infrastructure.

Within the.10 chapters of Section II: Security through Innovative Hardware and Software Systems,.we cover all practical techniques, protocols, and best practices in use today for a secure information infrastructure. These include techniques like the issues related to soft-ware reliability and risk; security threats and vulnerabilities; information security policies and risk analysis and management; access control and authentication; firewalls, intrusion detection, and prevention; and biometrics:

• In. Chapter. V:. Software. Standards,. Reliability,. Safety,. and. Risk; we focus on software’s role in the security of systems and how we can keep software safe, de-pendable, and secure, as we struggle to make the information communication infra-structure secure. Software, more than anything else, is at the heart of the information communication infrastructure. It is, in fact, one of the three main components of the infrastructure, together with hardware and humanware.

(13)

• In.Chapter.VII:.Security.Threats.and.Vulnerabilities, we define and discuss threats and vulnerabilities for the ICT infrastructure. We do this by first identifying threats and vulnerabilities that are exploited by people like hackers.

• In.Chapter.VIII:.Security.Policies.and.Risk.Analysis, we study the central role of a security policy in securing an enterprise network as has been pointed out by many se-curity specialists, scholars, and sese-curity organizations. We further discuss several other issues about the security policy. This includes issues like what constitutes a good policy and how to formulate, develop, write, implement, and maintain a security policy. • In.Chapter.IX:.Security.Analysis,.Assessment,.and.Assurance, we look at the issues

of the implantation of a security policy we discussed in Chapter VIII, starting with se-curity assessment and analysis. The risks and potential for sese-curity breaches involving sabotage, vandalism, and resource theft are high. For security assurance of networked systems, there must be a comprehensive security evaluation to determine the status of security and ways to improve it through mitigation of security threats. So an examina-tion and evaluaexamina-tion of the various factors affecting security status must be carried out and assessed to determine the adequacy of existing security measures and safeguards, and also to determine if improvements in the existing measures are needed.

• In.Chapter.X:.Access.Control,.Authentication,.and.Authorization; we focus on

three major security mechanisms from our security tool kit. We cover access control, authentication, and authorization.

• In.Chapter.XI:.Perimeter.Defense:.The.Firewall, we continue with our discussion

of technical controls and techniques, which we started in Chapter X, by focusing on securing the perimeter of the enterprise network. This discussion consists of two parts: access control and firewalls.

• In.Chapter.XII:.Intrusion.Detection.and.Prevention.Systems, we look at

intru-sion detection, one of the principles that defines security. Since computer networks have come to be pots of honey, attracting many, the stampede for information from computer networks is great and must be met with strong mechanisms. First there is detecting those trying to penetrate the system; second is preventing them from trying; and third is responding to the attempt, successfully or not. Although these three are the fundamental ingredients of security, most resources have been devoted to detection and prevention, because if we are able to detect all security threats and prevent them, then there is no need for a response.

• In.Chapter.XIII:.Security.in.Wireless.Systems, we follow the prediction by so many that the next dominant generation of computing technology is going to be wireless. We are already witnessing the beginning of this with the tremendous growth of wire-less technology in the last few years. Along with the marvels of a new technology and more so with wireless technology, there comes an avalanche of security concerns and problems. This is also the case with wired technology. So we carefully look at the current security protocols and best practices.

(14)

In the two chapters of Section III: Security through the Legal System, we discuss digital evidence and computer crime, digital crime investigations and forensics, and writing in-vestigative reports.

• In.Chapter.XV:.Digital.Evidence.and.Computer.Crime, we shift the discussion

from moral and ethical education that forms an ethical framework in decision mak-ing and from implementation of security technologies, tools, and best practices, to focus on the legal and law enforcement approaches. We believe, despite the fact that the technology has outpaced the legal system and the technology the criminals use is sometimes years ahead of that of law enforcement, that the legal system can play a very positive and effective role in the security of networks and the communication infrastructure.

• In.Chapter.XVI:.Digital.Crime.Investigations.and.Forensics, we focus on the

in-vestigative process. We divide the discussion into two parts. First we look at a process known as computer forensics in which we investigate crime scenes that involve data on computers. We look at the different parts of the computer and how digital evidence can be either hidden or extracted from the computer. In the second process, we consider the crime scene as not one computer but a network of computers. Our investigation then goes beyond one computer to include the infrastructure of the network and all points in the network where evidence can be either hidden or extracted. We refer to this second process as network forensics.

Finally in Section IV: What Next?, we conclude with an interesting discourse:

• In.Chapter.XVII:.Trends.in.Information.Assurance, we discuss all of the security best practices, the possible trends in security protocols and best practices, their viability, and their growth in light of rapidly developing technology. We conclude the chapter and the book by a discussion of the possibilities of new technologies and what they should cover.

We believe this kind of approach to the information infrastructure will result in a secure information infrastructure that can be trusted by all of its users and, hence, will be secured for all of us and our children to come.

Joseph.Migga.Kizza Chattanooga,.TN

(15)

Acknowledgment

This is a very comprehensive book covering a wide spectrum of interests in information security. It is, therefore, a challenge to the authors to present materials that will interest and challenge the majority of the intended readers. We made every effort in collecting and presenting materials that we think will go a long way to accomplish this. Along the way as we did this, we encountered many helpful and sometimes unforgettable people who went out of their way just to help by either answering one question or 10, providing a reference, questioning a statement, correcting grammar, or just pointing out a direction. We are grateful to hundreds of these unnamed heroes of this book.

Since early in its inception, this book has taken many turns and forms to get to its present form. This evolution has been a result of both content and syntax reviews, sometimes casual but many times serious. In particular, we want to thank the nameless IGI Global reviewers who made many invaluable suggestions. To all reviewers, we thank you from the bottom of our hearts for the small and large part you played. Whatever your part, you have contributed tremendously to the final product.

(16)

Section.I

(17)

(18)

Chapter.I

Building.Trust.in.the.

Information.Infrastructure

Introduction

The rapid advances in computer technology, the plummeting prices of in-formation processing and indexing devices, and the development of sprawl-ing global networks have all made the generation, collection, processsprawl-ing, indexing, and storage of and access to information easy and have made the information infrastructure an enjoyable environment. The information. infrastructure consists of computer or computer-related hardware, software to run on the hardware, and humanware to run both. The human component in the information infrastructure is essential because humans create the life and dynamism in the infrastructure that has made it what it is. However, humans also create all the problems facing the infrastructure as we will see

throughout the book. Note that the infrastructure we have just defined is

(19)

information infrastructure interchangeably. Cyberspace technology has brought more excitement to humanity than ever before. Communication has become almost instantaneous. The speed of data access is chasing the speed of light. Humanity could not have gotten a better technology. However, with the excitement and “bewilderness,” there has come a realization, after rough experiences, that the new technology has a serious downside. Based on individual experiences, the fear of the new technology on which we have

come to depend is on the rise. But because there are more benefits of the new

technology to humanity, trust of the technology must be cultivated among

the users of the technology. Webster’s Dictionary (1989) defines trust, as a

noun as confidence or faith in a person or a thing and as a verb as having confidence or faith in someone or something. For us, we want users of the information infrastructure to have confidence in it.

Numerous studies have indicated that the bad experiences encountered by users of cyberspace technology form a small fraction of all the wonderful experiences offered to users by cyberspace. There are many wonderful and

beneficial services that are overshadowed by sometimes sensational report -ing of new, but undeniably widespread, bad incidents in cyberspace. These few, sometimes overblown, incidents have created fear and an image of an insecure and out-of-control cyberspace. This, in turn, has resulted in many users and would-be users starting to not trust cyberspace. In fact, the opposite of this is truer. There is a lot to gain from cyberspace, both as an individual and as a community. We need to pass the message along that cyberspace is

safe, offers lots of benefits, and should be trusted. We have built the proto

-cols and we have identified the best practices to safeguard the information

infrastructure for every genuine user. We believe that with rising user trust of cyberspace, the security of cyberspace will be enhanced. However, the road to getting this message across is not easy.

Problems.with.Building.Trust

Probably, many of you who have been around in the last 10 years have

experienced two scary and turbulent periods in computing. The first period

(20)

global computer networks. These interconnected and interdependent networks provided a very good conduit for these virus attacks. As the world became a mesh of thousands of interdependent computers, more individuals, businesses, organizations, and nations were becoming more dependent on them. This period experienced monstrous and increasingly diverse, sophisticated, and coordinated virus and distrusted denial of service attacks that included attacks like Melissa, The Goodtimes, the distributed denial of services (DDoS), The Love Bug, Code Red, and the Bagle, to name but a few. The inputs fuelling the rise and the destructive power of these attacks were the large volume of free hacker tools on the Internet that made it easier than ever for amateurs to create and launch a virus; the easy availability of such tools; the widespread use of computers in homes, organizations, and businesses; the large numbers of young people growing up with computers in their bedrooms; the growing “over interest” in computers; the anonymity of users of the Internet; and the ever-growing dependence on computers and computer networks. All these put together contributed to the wild, wild cyberspace of the 1990s.

Since 2000, we have been in a new period; and we are experiencing new at-tack techniques. This period is, so far, characterized by small less powerful but selective and targeted attacks. The targets are preselected to maximize personal gains. The targets are carefully chosen for personal.identity, which

leads to financial gains. Attacks so far in this period are overwhelmingly targeting financial institutions and institution and businesses that store per -sonal information. The list of victims is long and growing. For example in this period:

• Bank of America Corp. reported computer tapes containing credit card re-cords of U.S. senators and more than a million U.S. government employees went missing, putting the customers at increased risk of identity theft. • ChoicePoint Inc., a Georgia-based credit reporting company, had a breach

of their computer databases, which rendered nearly 145,000 people vulner-able to identity theft.

• Data wholesaler LexisNexis, a division of Reed Elsevier, admitted having personal information of about 310,000 of its U.S. customers stolen. • ChoicePoint, another credit reporting company, had lost account of up to

(21)

This rapid stream of attack publicity is not new. It has always been like this, but because of strict reporting laws being enacted in a number of state legislatures like California, more and more companies and institutions are reporting the loss of personal accounts. Among the latest companies and in-stitutions are: PayMaxx, health care heavyweight San Jose Medical Group, California State University at Chico, Boston College, and the University of California at Berkeley (Sullivan, 2006). These made the headlines, but many more do not.

Personal information has become so valuable that hackers, thieves, and some businesses are trading over legal lines to collect personal information. The recent disappearance of a small disk containing personal information on almost 4.5 million veterans and army personnel, including their social security numbers and even home addresses, has probably brought some needed awareness to the huge problem, which had not made it to a spot on the evening news previously. The rate at which new ways of information gathering, like pretexting, which is a remake of the old social engineering, are being developed is indicative of the value of personal information. Armed with this information, hackers and information thieves, or information brokers as they want to call themselves, using information like the social security numbers to access bank accounts, illegally acquire houses and use them to get mortgage credit lines. The possibilities for using personal infor-mation are endless.

Another threat that is characteristic of this period, again with a flavor of

searching for personal information, is the growing problem of spyware. Spyware is not only threatening enterprise networks and small home-built networks, it is turning computers on these networks into spam-generating machines, which wreak havoc on home personal computers (PCs). Spyware is software for which no purchase or license is necessary. It is normally installed on a computer without knowledge or consent of the user. It has no set time

to install or specified source from which to download. It installs on the user

computer, without authorization, with the main mission of monitoring some of the information on the computer and making that information available to outside sources as needed. It may send the information once, periodically, or continuously for a long time.

Spyware is usually distributed through user Web site visits and file down -loads. Following these Web site visits and casual downloads, malware, a more destructive form of spyware, is downloaded onto the user’s computer

(22)

programs, screen savers, backgrounds, and media files, increases the chances

of acquiring malware. Once deposited on a corporate computer, spyware starts to track keystrokes, scan hard drives, and change system and registry settings. Actions like these can lead to identity theft, data corruption, and even theft of a company’s trade secrets.

Based on the latest study, two-thirds of consumer computers are infected with spyware (Plante, 2006). Because they are widespread, they have become a huge security problem to system administrators and chief security officers (CSOs). They are a management problem and a security nightmare because they (Plante, 2006):

• Are a loss to network bandwidth due to unsolicited advertising traffic

• Overload the security and help-desk staff with the job of cleaning adware from all corporate computers

• Are keystroke logger/screen capture software that hides on a user com-puter and then records the user keystrokes and screenshots that later can be used to reconstruct a user session, which may lead to theft of personal

confidential information, like passwords, social security numbers, and banking and other financial information

• May be hacking software, like password crackers and Trojan horses, that can unscrupulously be used to remotely enter the system

Spam is yet another menacing security problem to systems. Spam is unso-licited bulk e-mail. Unlike a penetration and a DDOS attack, which affect the system security through a variety of ways, spam does not penetrate a system without authorization or deny system services to users. According

to The Yankee Group, a Boston-based research and consulting firm, Spam

costs U.S. businesses $4 billion annually in lost productivity (Plante, 2006). Spam comes in the form of e-mails, hundreds or thousands of them, sent to a mail server. So many e-mails can become a problem in many ways, including clogging of networks and servers, so that other security threats can exploit the clogged server.

(23)

reliability and integrity of the online information we access and give. For the current dynamism of the digital information and electronic commerce (e-commerce) to survive, we need to have and maintain this trust. We must trust online information as we trust the brick-and-mortal printed and broad-cast information.

There are other problems, including those listed below, that have made the information age and cyberspace a replay of the old wild, wild West, and I discuss them more fully in Network.Security.and.Cyber.Ethics (2002).

• Network.operating.systems.and.software.vulnerabilities

• Limited.knowledge.of.users.and.system.administrators: The

lim-ited knowledge computer users and system administrators have about computer network infrastructure and the working of its protocols does not help advance network security. Rather, it increases the dangers. • Lack.of.planning: There is no clear plan, direction, or blueprint to guide

the national efforts in finding a solution to information infrastructure

problems.

• Complacent.society: The public has yet to come to terms with the fact

that cyberspace is dangerous and one ought to be cautious.

• Inadequate. security. mechanism. and. solutions: The existing solu-tions are best practices and are not comprehensive enough; they are

still technology or application specific. Also, they are so far not really

solutions but patches.

• Poor.reporting.of.computer.crimes: The number of reported cyber crimes tracked by CERT, the FBI, and local enforcement authorities is low. • Solution.overload:.There are just too many “solutions” and “best

prac-tices” to be fully trusted. It takes more time looking for a more effective solution.

Internationally, the picture is no better; in fact, it is worse in some aspects than it is in the United States, according to The.Global.State.of.Information. Security.2005, a worldwide study by CIO, CSO, and PricewaterhouseCoo-pers (PwC) in the CSO.Online.Magazine.(Berinato, 2005). In the report, the author compares the global information security picture to an escaped

(24)

third annual report in which they surveyed more than 8,200 IT and security executives from 63 countries on six continents, the data shows disturbing patterns. It shows:

• A notable lack of focus on actions and strategies that could prevent these

incidents in the first place

• A remarkable ambivalence among respondents about compliance with government regulations

• A clear lack of risk management discipline

• A continuing inability to create actionable security intelligence out of mountains of security data

For example, the survey reveals that just 37 percent of respondents reported that they had an information security strategy, and only 24 percent of the rest say that creating one is in the plans for next year.

The report also revealed that while the numbers on incidents, down time, and damages have remained steady, there is an increase in other numbers that are cause for alarm:

• The sharply rising number of respondents who report damages as “un-known”—up to 47 percent

• During the past year, could also contribute to the rising “unknown” group

• Increased sophistication and complexity of attacks, hitting more complex targets

Steps.to.Building.Trust

Against this background, efforts need to be and are being taken to protect online data and information and enhance user trust of the information

infra-structure. Such trust will create confidence in the information infrastructure

(25)

the information infrastructure, developing tools and best practices to protect hardware and software products that make up the information infrastructure, and creating and enforcing a strong legal framework. Such approaches would involve measures, such as:

• Developing a culture neutral and nonreligious value-based moral frame-work

• Developing effective security protocols, including security policies and models of security governance, assessment of the security treats, intru-sion detection and prevention ,and authentication and access control regimens

• Enacting legislation • Providing self-regulation

• Developing an effective and enforceable legal framework that involves computer forensics

Without firm security controls and best practices like these, we will never

be able to secure the ever growing information infrastructure upon which all societies and individuals have come to depend.

Conclusion

This is an introductory chapter where we have defined both the information

(26)

References

Berinato, S. (2005). The global state of information security 2005. CSO.Online. Magazine. Retrieved from http://www.csoonline.com/read/100105/sur-vey.html

Sullivan, B. (2005, February). ChoicePoint.theft.prompts.Senate.investiga-tion:.Other.lawmakers.seek.GAO.probe.of.terror.risks. Retrieved June 29, 2007 from http://www.msnbc.msn.com/id/7024899/

Plante, A. Stuffing spam: Filters stem the flow of junk e-mail, but spam remains

(27)

Chapter.II

Need.for.Morality.

and.Ethics

Introduction

(28)

Morality

Morality is a set of rules of right conduct; it is also a system used to modify and regulate our behavior. It is a quality system of human acts by which we judge them right or wrong, good or bad. This system creates moral persons who possess virtues like love for others, compassion, and a desire for justice; thus it builds character traits in people. Morality is a lived set of shared rules, principles, and duties, with no reference to the desires, aspirations, interests, or powers of any particular person. However, the degree of living and shar-ing of these values varies greatly. We may agree more on values like truth, justice, and loyalty, than on others.

Ethics

While morality is the pursuit of the good life, ethics is the science of the examination of that life to which Socrates devoted his life and for which he died. Ethics is, therefore, a study of right and wrong in human conduct. It is

a theoretical examination and justification of morality. The role of ethics is to

help societies to distinguish between right and wrong and to give each society a basis for justifying the judgment of human actions. When the interest of other

people is affected, the justification for human actions becomes complicated

and paramount, as it requires a demonstration that shows the balance of good to harm is acceptable and is in the interest of everyone. Ethics is, therefore,

a field of inquiry, the subject of which are human actions, collectively called

human.conduct, that are done consciously, willfully, and for which one can be held responsible. Such acts must have, according to Fagothey (1959),

knowledge that signifies the presence of a motive, “volunteeriness” to signify

that it is willed, and freedom to signify the presence of free choice to act or not to act. It is also a theoretical examination of morality.

(29)

Ethical.Theories

For centuries in different societies, human actions have been judged good or bad and right or wrong, based on theories or systems of justice that were developed, tested, revised, and debated by philosophers and/or elders in that society. Such theories are commonly known as ethical.theories..An ethical theory is that something that makes an action or set of actions morally right or wrong. Codes of ethics have then been drawn up, using and based on these

ethical theories. The processes of reasoning, explanation, and justification

used in ethics are based on these theories.

Sophism

In her article Sophism:.The.Philosophy.of.the.Sophists, Gill defines sophism

as an ancient Greek philosophy that started around the 5th_{century B.C. and} was made famous by Plato, Aristotle, and Aristophanes. The philosophy consisted of techniques from highly respected Greek philosophers that em-phasized rhetoric rather than virtue. Because of this, sophists were taken as philosophers that were capable of perverting the truth, because they could argue any side of an issue. The techniques were misused, and sophists charged high fees for their services, which eventually led to the decline in this philoso-phy. Sophism was and is still criticized for the process of its argument. In an argument, a conclusion is arrived at after a systematic and logical sequence of premises. The argument makes sense when the premises are connected together by logic. The conclusion is deemed true or false by the audience or

judge based on the flow of the premises in the argument. Sophism is criti -cized for attacking the role of logic and its validity in the argument. Perhahs poet Emily Dickinson in her poem Tell.All.The.Truth.But.Tell.It.With.a.Slant

(Kennedy, 2003) captures the spirit of the sophists.

Socratic.Method.

(30)

and eliminating those which lead to contradictions. By doing this, Socrates thought that he could force individuals involved in the argument to steadily examine their own beliefs and the validity of such beliefs.

Platonism

According to the online Stanford. Encyclopedia. of. Philosophy.(1978), Platonism is the view that there exist abstract objects (nonphysical—not physically existing; and nonmental—they are not minds and are not ideas in minds, brains, disembodied souls, Gods, or anything else along these lines). Such objects are not affected by time and space. They are, therefore, unchanging and cannot interact with other physical objects.For example, think of properties and relations in object-oriented programming. These are considered abstract objects.

Platonism, therefore, advances a theory or doctrine of ideas of something whose originality, in particular, does not exist in the reality of the time-space continuum, except through instantiation of the idea. These ideas are,

therefore, infinite and, according to the Encyclopedia.of.Philosophy (1978), they compose the object or whole of all knowledge and aspiration, which form the one and absolute real being, the Platonic supreme idea of the good. Based on these ideas, rationalists, of which Plato was a member, associate recollection as a theory of knowledge, that is, innate knowledge, which are ideas and knowledge that we are born with, rather than acquire through ex-perience. Various world religions also have interpreted the Platonic theory of ideas to subscribe to the existence of God.

.

Cynicism

(31)

Other.Variants.of.the.Major.Greek.Philosophical.Theories

The philosophical theories we have discussed above were all developed by the Greeks. Greek philosophy gave imprints that are still seen today in all

Western philosophy. It defined the terms and gave variants to the philosophical

theories being used today. Some of these variants include: consequentialism, deontology, human nature, relativism, hedonism, and emotivism.

Consequentialism

We think of the right action as that which produces good consequences. If an act produces good consequences, then it is the right thing to do. Those who subscribe to this position are called consequentialists. Consequential-ists judge human actions as good or bad and right or wrong, based on the results of actions—a desirable result denotes a good action, and vice versa. According to Hull (1979), utilitarian theories have three parts: a theory of value, a principle of utility, and a decision procedure. Within these, there are further theories. For example in the theory of value, there are several other theories held by utilitarians, including Hull (1979):

• Hedonism, which equates good with pleasure and bad or evil with pain.

• Eudamonism, which equates good with happiness and bad or evil with unhappiness.

• Agathism, which views good as an indefinable, intrinsic feature of various

situations and states, and evil as either an indefinable, intrinsic feature

of other situations and states, or simply as the absence of good. • Agapeism, which equates good with love and bad with hate.

(32)

There are three commonly discussed types of consequentialism theory (Kizza, 2002):

• Egoism: This theory puts an individual’s interests and happiness above everything else. With egoism, any action is good as long as it maximizes an individual’s overall happiness. There are two kinds of egoism: ethical egoism, which states how people ought to behave as they pursue their own interests, and psychological egoism, which describes how people actually behave.

• Utilitarianism: Unlike egoism, this theory puts a group’s interest and happiness above those of an individual. Thus an action is good if it

ben-efits the maximum number of people. Among the forms of utilitarianism

are the following:

 Act.Utilitarianism: which tells one to consider seriously the con-sequences of all actions before choosing that with the best overall advantage, happiness in this case, for the maximum number of people; and

 Rule.Utilitarianism: which tells one to obey those rules that bring the maximum happiness to the greatest number of people. Rule utilitarianism maintains that a behavioral code or rule is good if the consequences of adopting that rule are favorable to the greatest number of people.

• Altruism: In altruism an action is right, if the consequences of that action are favorable to all except the actor.

Deontology

The theory of deontological reason does not concern itself with the con-sequences of the action, but rather with the will of the action. An action is good or bad depending on the will inherent in it. According to deontologi-cal theory, an act is considered good if the individual committing it had a good reason to do so. This theory has a duty attached to it. In fact, the word “deontology”.comes from two Greek words: deon meaning duty and logos.

(33)

Human.Nature

The theory of human nature tries to answer several questions about human nature and the purpose of life. Are human beings endowed with all faculties and capabilities to live in happiness? These questions lead to an exploration of the understanding of the working of human mind, why it works in such a way and not another, and whether the answers to these questions lead us to understanding what is man’s ultimate nature. There are several explanations for the nature of man.

According to Wilson (1978), no species, ours included, possesses a purpose beyond the imperatives created by its genetic history. Species may have vast potential for material and mental progress, but they lack any immanent purpose or guidance from agents beyond their immediate environment or even an evolutionary goal toward which their molecular architecture auto-matically steers them. Human brains exist only to promote the survival and multiplication of the genes that direct the assembly of man and that the mind is a device for survival and reproduction. Reason is just one of its various techniques to maintain itself. In essence, the human capabilities that give us drive, wit, love, pride, anger, hope, and anxiety are but a part of the perpetu-ation of the same human cycle. Wilson (1978) further explains that the brain evolved by natural selection. Even the capacities to select particular esthetic judgments and religious beliefs must have arisen by the same mechanistic process as either a direct adaptations to past environments in which the ancestral human populations evolved or, at most, constructions thrown up secondarily by deeper, less visible activities that were once adaptive in this stricter, biological sense.

Relativism

This theory is negatively formulated, denying the existence of universal moral norms. It takes right and wrong to be relative to society, culture, or the

individual. Relativism also states that moral norms are not fixed in time.

Hedonism

(34)

drug stimulants. There are many problems to the purest form of hedonism, and it has been rejected on moral grounds by many because it is not consid-ered healthy for long-term happiness. This is what is called the hedonism. paradox. A hedonist acts only for maximum pleasure, and whatever he or she does is done to maximize pleasure or minimize pain. There are several types of hedonism, including: psychological hedonism, which claims that,

in.fact,.what people seek in their everyday actions is pleasure, and ethical hedonism, which claims that people ought.to.seek pleasure and that plea-sure is the moral good. Other forms of hedonism include sensory.hedonism,

which considers that pleasure and happiness result from sensory pleasure. This leads to the hedonist belief that the value of a life is determined by the total amount of sensory pleasure it contains, minus the total amount of sensory pain it contains. The fourth category of hedonism we will discuss is attitudinal.hedonism. According to Feldman (2002), attitudinal hedonism states that what makes a life good for one who lives it is that it contains a lot of enjoyment, or attitudinal pleasure, and relatively little disenjoyment, or attitudinal pain.

Emotivism

This theory maintains that ethical statements are neither true nor false and cannot be proven; they are really only statements about how.someone feels (Internet.Encyclopedia.of.Philosophy).

Philosophers use these theories as engines to help them understand and justify human actions. Although over the years and in different places, changing values have been attached to human actions, these ethical theories have remained relatively unchanged. This means that although ethics as a discipline is evolving, ethical reasoning has relatively remained the same. In other words, Aristotle and Plato’s reasoning to explain and justify human actions is still valid, although the premises surrounding human actions are changing with time and with every new technology.

Ethical.Reasoning

(35)

else the goodness or badness and the rightness or wrongness of one’s action, one must labor through layers of explanations to justify taking such actions. For example, in the aftermath of Hurricane Katrina in the New Orleans, the world witnessed droves of people breaking into department stores and coming out with bags of merchandise. This action was very controversial. It might have been condemned by some people as stealing and praised by others an ingenious way to survive. Imagine yourself trying to convince somebody who does not think like you, whatever your position was on those acts. You probably would go through several layers of reasoning to convince the fellow that your judgment of the action was the way it was and a good one. The spectrum of human actions on which ethical judgments can be based is wide ranging, from simple traditional and easy to understand actions like killing and stealing, to complex and abstract ones like hacking, cellular tele-phone scanning, and subliminal human brain alterations. On one side of this spectrum, the inputs have straight output value judgments of right and wrong or good and evil. On the other end of the spectrum, there are, however, inputs that cannot be easily mapped into the same output value judgments of good and bad or right and evil. It is at this side of the input spectrum that most new human actions created as a result of computer technology are found. Computer technology created new possibilities where there were none. It creates new muddles that make decision making complex and strenuous. It

is this kind of environment that we find ourselves in today. It is the reason

we need moral and ethical education and codes of conduct.

Codes.of.Professional.Responsibility

The main domains in which ethics are defined are governed by a particular and definitive regiment of guidelines and “rules of thumb” called “codes of

(36)

• Principles, which may act as guidelines, references, or bases for some document

• Public policies, which may include aspects of acceptable behavior, norms, and practices of a society or group

• Codes of conduct, which may include ethical principles

• Legal instruments, which enforce good conduct through courts

Although the use of codes of ethics is still limited to professions and high visibility institutions and businesses, there is a growing movement toward widespread use. The wording, content, and target of these codes differ greatly. Some codes are written purposely for the public, others target employees, and yet others are for professionals only. The reader is referred to the codes of Association of Computing Machinery (ACM) and The Institute of Elec-tric and Electronics Engineers’ Computer Society (IEEE Computer), both professional organizations. The ACM code can be found at www.acm.org and code for IEEE Computer is at www.ieee.org.

Objectives.of.Codes.

Different domains and groups of people formulate different codes of ethics, but among them, they all have the following objectives (Kizza, 2002):

• Disciplinary: By instilling discipline, the group or profession ensures professionalism and integrity of its members.

• Advisory: The codes are usually a good source of tips for members

and offer advice and guidance in areas where there are fuzzy moral is-sues.

• Educational: Ethical codes are good educational tools for members of the domain, especially the new ones who have to learn the do’s and don’ts of the new profession. These codes are also a good source of renewal for the older members, needing to refresh and polish their pos-sibly waning morals.

• Inspirational: Besides being disciplinary, advisory, and educational,

(37)

• Publicity: One way for professions to create a good clientele is to show that they have a strong code of ethics and, therefore, their members are committed to basic values and are responsible.

The.Relevancy.of.Ethics.in.Modern.Life

When Socrates made the statement “The unexamined life is not worth liv-ing” before the Athens’s court in 399 B.C., human life was as it is today in almost every aspect, except the quality. The essence of life has not changed much since Socrates’ time and now. We still straggle for the meaning of life; we work to improve the quality of life; and we do not rest unless we have love, justice, and happiness for all. Socrates spent all his life questioning the people of Athens so that they, together with him, could examine their

individual lives to find “what they individually ought to do” “to Improve the lot of human-kind.” Many philosophers and those not so schooled believe that this is the purpose of ethics.

The difficulty in finding “what I individually ought to do” has always been and continues to be for modern life the myriad of decisions that must be made quickly, with an overwhelming and quickly changing on-the-minute informa-tion, and must be done reasonably well. This is not a simple statement that can be quickly overlooked. We face these decision-making dilemmas every minute of every day. Under these circumstances, when we are faced with the need to make such decisions, we really need to have enough information and a strong enough backing in moral and ethical education to build an ethical framework on which to base our judgment for a sound decision. When the information at hand is not complete and when the necessary knowledge and understand-ing of the reality to be able to make the decision is lackunderstand-ing, then the ability to approximate the consequences of the decision many times leads to a bad decision. For a number of people, when the ingredients of a good decision-making process are missing, they rely on habits. Decisions based on habits are not always sound ethical decisions, and they are not always good.

(38)

Conclusion

In this chapter, we have defined morality and ethics, discussed the need for

both, but more so discussed the need for ethics education. In the next chapter, we are going to use this ethics education to build a strong ethical framework, which will form a basis for sound and ethical decision making as one of the techniques to make the information infrastructure safe.

References

Fagothey, F. A. (1959). Right.and.reason (2nd_{ed.). Rockford, IL: Tan Books} and Publishers.

Feldman, F. (2002). The good life: A defense of attitudinal hedonism. Phi-losophy.and.Phenomenological.Research,.65, 604-628.

Gill, N. S. (2007). Sophism—The philosophy of the sophists. Ancient/Clas-sical. History. Retrieved from http://ancienthistory.about.com/cs/phi-losophy/g/sophism.htm

Hull, R. (1979). The.varieties.of.ethical.theories. Buffalo, NY: Buffalo Psy-chiatric Center.

Internet. encyclopedia. of. philosophy. (2007). Retrieved from http://www. utm.edu/research/iep/ni/m-ration.html

Johnson, D. J. (1994). Computer. ethics (2nd_{ed.). Englewood Cliffs, NJ:} Prentice Hall.

Kizza, J. M. (2002). Ethical.and.social.issues.in.the.information.age (2nd ed.). New York: Springer.

Stanford. encyclopedia. of. philosophy. (1978). http://plato.stanford.edu/en-tries/platonism/#1

(39)

Chapter.III

Building.an.

Ethical.Framework.for.

Decision.Making

Introduction

(40)

Principle.of.Duty.of.Care

Duty of care is our individual implicit responsibilities to other individuals in our society in whatever we do. The principle of duty of care is also the for-malization of these individual responsibilities towards one’s community and society. Human beings are social animals that must exist in communities. So as members of these communities in which we live, we shoulder these social responsibilities to be mindful of others within our communities in whatever we do . Our working life, therefore, bears this responsibility.

Since a working life involves a continuous sequence of daily decision mak-ing, we will look at the process of decision making as the cradle of the care of duty, because no decision should and, indeed, must be taken without it. Wrong decisions, lacking the responsibilities in the duty of care, should lead to the feeling of guilt about the wrong decisions and how to avoid them. By the very nature of a working life, workers are decision makers. From the time one checks in at the place of work until the end of the working day, and even beyond, a worker must make hundreds of decisions. A good decision must take into account the principle of the duty of care and be anchored by an ethical framework.

Work.and.Decision.Making

Good decisions are not only based on an ethical framework, but also on the decision maker’s abilities. The decision maker’s abilities are based on the following basic requirements, namely (Kizza, 2002):

1. .A.set.of.highly.developed.skills.and.deep.knowledge.of.the.domain:.

Skills and deep knowledge of the domain are both acquired and devel-oped over an extended period of formal schooling and experience at work. Acquiring a sophisticated level of knowledge is crucial because skills based on shallow knowledge of the domain could be damaging in cases involving decisions that require understanding, analysis, and adoption of concepts to suit the environment or the problem.

2. Autonomy:.When at work, both employers and employees make

(41)

must decide on the tasks to assign to the employees, who must decide on how to approach the assigned task. Both decisions must result in a

finished task. Both the employee and employer have a variety of op -tions to choose from, based on their experiences and knowledge. The

choice of options to finish the task carries with it a certain degree of

autonomy. The more knowledgeable and experienced the worker is the more options he or she can provide and, therefore, the more autonomy he or she enjoys.

3. Observance.of.a.code.of.conduct:.In Social.and.Ethical.Issues.of.the. Information.Age (Kizza, 2002), I point out that a working individual normally observes four codes of conduct: professional, personal, insti-tutional, and community. These codes are intertwined. In some cases,

they are so intertwined that it is difficult to extricate one from the others. Let us first look at each one of these individually and then discuss how

to manage the maze made by these codes (Kizza, 1996):

• The.professional.code: Consists of a set of guidelines to which the professional must adhere, spelling out what he or she ought to do and not do. Its purpose is to protect both the image of the profes-sion and that of the individual members. Thus it is a requirement for the profession that members adhere to the code.

• A.personal.code: Consists of a set of individual moral guidelines focusing on the very moral fabric an individual acquires from

child-hood, and it supplements the professional code significantly.

• The.institutional.code: A code imposed by the institution for which the professional is working. This code is meant to build and maintain

the public’s confidence in the institution and its employees.

• The.local.code: A community standard code developed over a

pe-riod of time based on either the religion or culture of the indigenous people in the area. It may be imposed by civil law or the culture of the community in which the professional works.

Not every worker observes the four codes at any one time. However, a worker must be prepared to observe all four.

(42)

may not support euthanasia, whether her individual moral code does or not. So because the institutional, community, and the professional code

do not support euthanasia, the doctor may not find it in her best interest

to grant the patient his wish, even if she agrees with the patient. As we discuss later, the requirement that any action taken by a professional must fall within the intersection of the four sets of codes may present moral dilemmas for the professional in the decision-making process and, consequently, tarnish the professionalism of the individual.

Pillars.of.a.Working.Life

A good working life is supported by four pillars: commitment, integrity, responsibility, and accountability (Kizza, 2002).

Commitment

Commitment, according to Humphreys (1987), has these six characteristics:

1.. The.person.making.the.commitment.must.do.so.willingly.without.

duress:.The person executing the commitment must like what he or

she is doing. If commitments are in the form of assignments with little autonomy, it is more likely the commitment may not be there.

2. The.person.responsible.must.try.to.meet.the.commitment,.even.if.

help.is.needed:.Because commitments are not assignments, the person

who has made the commitment is assumed to have the know-how, the autonomy to vary steps, and the skills to do the job. Professionals pos-sess these characteristics, plus they have the ability to seek the neces-sary skills from others to circumvent obstacles that may arise, so more commitment is expected of them.

3. There.must.be.agreements.on.what.is.to.be.done,.by.whom,.and.

when:.Professionals entering into a commitment must have advance

(43)

respective parts and, in this case, commitment for these smaller part is as important as the commitment for the whole job. If the smaller parts are assigned to nonprofessionals, they are considered assignments, and the commitment must lie with the professional assigning the parts. Such commitment is carried out through supervision of the nonprofessional members of the team.

4.. The.commitment.must.be.openly.and.publicly.stated:.Open

com-mitments are transparent and easily correctable if there are problems. Professional commitments must fall within the allocated resources of time, material, and money. If a commitment is public, there are more chances that most of the sourcing, acquisition, distribution, and use of the resources will be transparent, and, thus, the job is likely to be done more smoothly.

5.. The.commitment.must. not.be.made.easily:.Before entering into a

commitment, professionals should do research to make sure that what they are entering into is not a Trojan horse (something or someone intended to defeat or subvert from within).

6.. Prior.to.the.committed.date,.if.it.is.clear.it.cannot.be.met,.advance.

notice.must.be.given,.and.a.new.commitment.negotiated:.It is a sign

of responsibility and commitment to have the courage to tell others of shortfalls in parts of the agreement, so if there is anything to be done to meet the deadlines, it is done without acrimony.

Integrity

Integrity means a state of undivided loyalty to self-belief. It is honesty, un-compromising self-value, and incorruptibility. The word “integrity” comes from the Latin word integratas, which means entire, undivided, or whole. To stay undivided in one’s beliefs professionally requires three maxims of integrity, namely: vision, love of what one is doing, and commitment to what one has to do.

1.. Vision:.Having vision is the capacity to anticipate and make a plan of

action that will circumvent obstacles and maximize benefits. Vision is

(44)

2.. Love:.Numerous studies have shown that people who love what they do, do it better than those who do it because they have to. In school, children who have a love for a subject perform far better than those who do it because it is a requirement. When people choose professions, they should do so because they have a love for the work. The amount of love put in helps maintain the morality of one’s actions, because what is being done is no longer chore but a creation; and we all know people love their own creations.

3.. Commitment:.The vision and love applied to the work bonds the

indi-vidual to whatever he or she is doing until it is done. This is commitment

as we defined it earlier.

Responsibility

Responsibility deals with roles, tasks, and actions and their ensuing conse-quences. For example, as parents, we have an obligation and a duty to bring up our offspring. That is parental responsibility. But responsibility also depends on a person’s value system, which is based on his or her environment and culture. There are various types of responsibilities, including personal, com-munal, parental, and professional, and these responsibilities vary depending on the age of the individual and his or her position in society. For example, the responsibilities of a 5 year old are far different from those of a 40 year old. Clearly, the responsibilities of a country’s chief executive are different from those of a janitor. When individuals choose a lifestyle implied in a career or a vocation, they choose and must accept the package of responsibilities that go with that lifestyle.

Accountability

One way we can define accountability is the obligation to answer for the

(45)

1.. A.set.of.outcome.measures.that.reliably.and.objectively.evaluate.

performance: In every profession there is a minimum set of measures

that every individual in that profession must meet. This set must be care-fully selected and those measures must be attainable. However, these measures vary according to the profession, and the individual activity to be performed by the professional. For example, in the teaching profes-sion, one of the measures might be the success rate of students when they take standardized examinations.

2.. A set of performance standards defined in terms of these outcome

measures: Like outcome measures, performance standards must be carefully chosen and attainable. These standards are also very depen-dent on the profession, but each profession must have a set of common performance standards for all of its members for every type of service or product provided by that profession. For the teaching profession, the standard of output measures may be the passing of standardized exami-nations at a certain predetermined level. In the law profession, it might be the ability of a judgment to stand on subsequent appeals. Whatever standard of measure is chosen, it must be plausible and measurable.

3.. A.set.of.incentives.for.meeting.the.standards.and/or.penalties.for.

failing.to.meet.them:.The incentives chosen must be good enough so as not to create undesirable motives. For example, if the incentives are too good, they may force professionals to put the interest of their customers and clients below the interest of attaining the measures. If the incentives are monetary, they may force professionals to put the interest of making money ahead of the services they are supposed to offer. Similarly, the penalties prescribed must not be so harsh that they drive away those who intend to enter the profession. Harsh penalties also tend to make people in the wrong hide their actions and dig in deeper for fear of being discovered.